<VirtualHost *:80>
  ServerName {{ site_name }}
{% if server_aliases %}
  ServerAlias {{ server_aliases | join(" ") }}
{% endif %}
  ServerAdmin {{ server_admin }}
  TraceEnable Off

{% if x_forward %}
#  RequestHeader unset X-Forwarded-For
{% else %}
  RequestHeader unset X-Forwarded-For
{% endif %}

{% if gzip %}
  SetOutputFilter DEFLATE
{% endif %}

{% if enable_certgetter %}
  ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge"
{% endif %}

{% if site_name == "fedoraproject.org" %}
  Include "conf.d/fedoraproject.org/expires.conf"
  Include "conf.d/fedoraproject.org/logs.conf"
  Alias /static/hotspot.txt /srv/web/hotspot.txt
{% endif %}

{% if site_name == "src.fedoraproject.org" %}
  Include "conf.d/src.fedoraproject.org/expires.conf"
{% endif %}

{% if sslonly %}
  RewriteEngine On
  RewriteCond %{REQUEST_URI} !/.well-known/acme-challenge/.*
  {% if site_name == "fedoraproject.org" %}
    RewriteCond %{REQUEST_URI} !/static/hotspot.txt
  {% endif %}
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
{% else %}
  Include "conf.d/{{ site_name }}/*.conf"
{% endif %}
</VirtualHost>

{% if ssl %}
<VirtualHost *:443>
  ServerName {{ site_name }}
{% if server_aliases %}
  ServerAlias {{ server_aliases | join(" ") }}
{% endif %}
  ServerAdmin {{ server_admin }}

{% if x_forward %}
#  RequestHeader unset X-Forwarded-For
{% else %}
  RequestHeader unset X-Forwarded-For
{% endif %}

{% if ansible_distribution == 'Fedora' and use_h2 %}
  Protocols h2 http/1.1
{% elif ansible_distribution == 'Fedora' %}
  # For this website, no h2 available
  Protocols http/1.1
{% else %}
  # RHEL7 does not use Protocols
{% endif %}

{% if gzip %}
  SetOutputFilter DEFLATE
{% endif %}

  SSLEngine on
  {% if ansible_hostname.startswith('proxy') %}
    SSLUseStapling on
  {% endif %}
{% if certbot %}
  SSLCertificateFile /etc/pki/tls/certs/{{ site_name }}.cert
  SSLCertificateKeyFile /etc/pki/tls/private/{{ site_name }}.key
  SSLCertificateChainFile /etc/pki/tls/certs/{{ site_name }}.intermediate.cert
{% else %}
  SSLCertificateFile /etc/pki/tls/certs/{{ cert_name }}.cert
  SSLCertificateKeyFile /etc/pki/tls/private/{{ cert_name }}.key
{% if SSLCertificateChainFile %}
  SSLCertificateChainFile /etc/pki/tls/certs/{{ SSLCertificateChainFile }}
{% endif %}
{% endif %}

  SSLHonorCipherOrder On

  # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
  # If you change the protocols or cipher suites, you should probably update
  # modules/squid/files/squid.conf-el6 too, to keep it in sync.
  SSLProtocol {{ ssl_protocols }}
  SSLCipherSuite {{ ssl_ciphers }}

{% if sslonly %}
  Header always add Strict-Transport-Security "max-age=31536000; {% if stssubdomains %}includeSubDomains; {% endif %}preload"
{% endif %}
  Include "conf.d/{{ site_name }}/*.conf"
</VirtualHost>
{% endif %}
